I thought you could set SPAN to watch all traffic on the vlan coming through the switch? Maybe that is in the later IOS'es or something.
Spoofing of the IP address doesn't mean the PC is receiving on that IP address. The packet could get constructed with Random IP info and fired off into the ether... If the pc's are responding and you can get on the same physical VLAN of the box, ping away. If you are crossing routers you will get the MAC of the router, not the PC. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, December 23, 2004 12:16 PM To: [email protected] Subject: RE: [ActiveDir] worm (very very OT) For port spanning, I would have to do that on a port by port basis for 500 pc's! we use cisco 3550 cat. the virus is in Albany and i'm in NYC. they have no network support. I'm it. maybe i can get someon to change their ip to the same subnet of the spoofed address and ping it and then do an arp -a? thanks -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, December 23, 2004 12:05 PM To: [email protected] Subject: RE: [ActiveDir] worm (very very OT) Your switches, if serious business types, should have mirror ports that allow you to plug into to see all traffic going across the switch. Correct if the worm is spoofing Ethereal won't have the real address but it should have the real MAC. You can then tell your network people to dump some data from the switches/routers that will tell you what the real IP is of the MAC addresses. In general, probably worth grabbing your network person and asking them what other options they have from the network side. They may even be able to look at something and tell you directly which Ips?Acs are trying to connect to whatever port it is they are going after without ever breaking out a sniffer. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, December 23, 2004 11:30 AM To: [email protected] Subject: RE: [ActiveDir] worm (very very OT) we're a switched network. i'd have to go to every pc(500) and run it. i'm trying to avoid that. might as well run netstat -an on all pc's. ethereal won't tell me the real address. thanks -----Original Message----- From: Candee Vaglica [mailto:[EMAIL PROTECTED] Sent: Thursday, December 23, 2004 11:16 AM To: [email protected] Subject: Re: [ActiveDir] worm (very very OT) Use a network scanner, like Ethereal to monitor the traffic. On Thu, 23 Dec 2004 11:11:43 -0500, Kern, Tom <[EMAIL PROTECTED]> wrote: > this is way off and i apologize but you guys are really knowledgable > and such a great help, i thought i'd try here. > > i have a number of pc's infected with some wom that goes out on port > 10000 tcp and tries to attemp a DOS attack. > > I don't know the worm and a google searched didn't really turn > anything up. > > here's the thing. the worm uses a spoofed source address. my question > is, is there anyway to track down a spoofed address internally to the real address? > > I don't know how to find the infected pc's. > > thanks List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
